5 Replies Latest reply: Feb 16, 2010 8:22 PM by 807573 RSS

    Using Active Directory with Proxy Server

    807573
      Hi,

      I have been fiddling with the Directory Service LDAP settings but unable to connect to our MS Active Directory server.

      1. Can proxy server connect to Active Directory (2003)
      2. What is the format? This is what I have at the minute.
      Base DN DC=domain,DC=com,DC=au
      Bind DN administratoraccount@domain.com.au
      Bind Password password

      Is this correct?

      The error I get is
      An error occurred while contacting the LDAP server.

      (Can't connect to the LDAP server)
      A connection to the directory server could not be opened. Contact your directory server administrator for assistance.

      Can someone please provide correct format of this screen so I can connect to my Active Directory server.

      Thanks

      Nathan
        • 1. Re: Using Active Directory with Proxy Server
          807573
          Right now, AD is not supported unless we use a little bit of hack to reassign the ids. You can find an older thread in this forum.
          • 2. Re: Using Active Directory with Proxy Server
            807573
            Hi,

            I'm running 4.0.6 fo i586 on Solaris 10 for x86 and I can report that IT DOES WORK.

            What you have to do is this:

            Base DN value is: DC=my,DC=full,DC=domain,DC=com
            Bind DN value is: CN=Administratpr,CN=Users,DC=my,DC=full,DC=domain,DC=com

            enter right password if required and there you are.
            • 3. Re: Using Active Directory with Proxy Server
              807573
              Can you create groups in AD? I think no...... As I see AD really unsupported :(
              • 4. Re: Using Active Directory with Proxy Server
                807573
                I'm also trying to run with Win 2003 AD and tried what you've suggested above but it's not working.
                When click on Manage Organization Units:
                An error occurred while contacting the LDAP server.

                If ignore this error, and just configure Administer Access Control to use this LDAP, browser on client side does not show web proxy authentication dialog but error HTTP 500.
                • 5. Re: Using Active Directory with Proxy Server - Working config
                  807573
                  All:
                  After a bit of thought and enough time to figure it out, I finally have a working configuration that allows Proxy Server 4 to authenticate against Active Directory. There may be better ways to do this but this method works without changes to our AD environment.

                  The authentication process goes like this.
                  web proxy server -> directory proxy ->  request transformation -> active directory
                  In this particular case the directory proxy is doing several things.
                  1. Completing a virtual transformation on the objectclass 'groupofuniquenames' to the 'group' objectclass in AD.
                  2. Maps the attribute 'uid' to 'samaccountname'.
                  3. Maps the attribute 'uniquemember' to 'member'.

                  Here is a high level process to get working.
                  1. Install dsee 7 according to the docs. (http://docs.sun.com/app/docs/doc/820-4807/install-dsee?l=en&a=view)
                  2. Install the directory server console according to the docs. Note: When deploying dscc7 with sun webserver 7 please be sure the webserver is run with the same uid as the directory server admin server. (This means that the webserver will need to be run as 'root' in most cases.)
                  3. Create a new directory proxy server.
                  4. Configure the directory proxy to transform and proxy requests to AD.
                  dpconf create-ldap-data-source -D cn=proxymgr ad_source_native domaincontroller.ms.domain.com:389
                  dpconf set-ldap-data-source-prop -D cn=proxymgr ad_source_native is-enabled:true is-read-only:true
                  dpconf create-ldap-data-source-pool -D cn=proxymgr ad_native_pool
                  dpconf attach-ldap-data-source -D cn=proxymgr ad_native_pool ad_source_native
                  dpconf set-attached-ldap-data-source-prop -D cn=proxymgr ad_native_pool ad_source_native add-weight:100 bind-weight:100 modify-weight:100 search-weight:100
                  dpconf create-ldap-data-view -p 389 -D cn=proxymgr ad_native_directview ad_native_pool "ou=users,dc=ms,dc=domain,dc=com"
                  dpconf add-virtual-transformation -D cn=proxymgr ad_native_directview mapping attr-value-mapping objectclass internal-value:group view-value:groupofuniquenames
                  dpconf set-ldap-data-view-prop -D cn=proxymgr ad_native_directview attr-name-mappings:uid#samaccountname
                  dpconf set-ldap-data-view-prop -D cn=proxymgr ad_native_directview attr-name-mappings+:uniquemember#member
                  5. Configure the proxy admin server to use directory authentication.
                  host = directory proxy server  (not ad domain controller)
                  port= directory proxy port (not ad domain controller port)
                  base dn = dc=ms,dc=domain,dc=com
                  bind dn = CN=proxy user,OU=Users,DC=ms,DC=domain,DC=com <- most likely a service account.  Can only use a users full DN.
                  passwd = users password
                  6. Restart web proxy admin server.
                  7. Test by writing ACL's. Wouldn't it be nice is IE wasn't required for the GUI to work right.

                  Note:
                  1. You can monitor what is going on by reviewing the directory proxy server logs.
                  2. If you set the search base on the directory proxy to the server root, (dc=ms,dc=domain,dc=com) you may get referral errors. (err=52) This is is why the "create-ldap-data-view" is set to "ou=users,dc=ms,dc=domain,dc=com" above. This could be set to anything as long as it's not the server root. For example, ou=hq,ou=us,dc=ms,dc=domain,dc=com.

                  If there are any brave souls out there willing to try this and have questions please let me know. I will help if I can.
                  -AJ